Fall 08 s e t o <t-base-301B-32MB N for QC-8916 LA 2.0 e Release Notes s a e l e R <t-base Release Notes CONFIDENTIAL PREFACE This document is the confidential and proprietary information of Trustonic ("Confidential Information"). This document is protected by copyright and the information described therein may be protected by one or more EC patents, foreign patents, or pending applications. No part of the document may be reproduced or divulged in any form by any means without the prior written authorization of Trustonic. Any use of the document and the information described is forbidden (including, but not limited to, implementation, whether partial or total, modification, and any form of testing or derivative work) unless written authorization or appropriate license rights are previously granted by Trustonic. TRUSTONIC MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF SOFTWARE DEVELOPED FROM THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. TRUSTONIC SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THIS DOCUMENT OR ITS DERIVATIVES. 1 <t-base Release Notes CONFIDENTIAL TABLE OF CONTENTS 1 Introduction ........................................................................................................................ 4 2 Validation conditions .......................................................................................................... 4 3 Normal World sources ........................................................................................................ 5 4 What’s new in <t-base ........................................................................................................ 5 4.1 <<t-base-301b-32MB-QC-8916-AndroidL-v001 .............................................................. 5 4.1.1 New <t-base Core Features ........................................................................................ 5 4.1.1.1 Cryptographic Functionality Update ................................................................................... 5 4.1.1.2 Android 4.4 Kitkat Keymaster ............................................................................................. 6 4.1.1.3 Endorsement ...................................................................................................................... 7 4.1.1.4 Trusted User Interface Enhancements ............................................................................... 7 4.1.2 New Integration Features ........................................................................................... 7 4.1.2.1 Support of ARMv8 Application Processors ........................................................................ 7 4.1.2.2 Memory Extension for Secure Drivers ................................................................................ 7 4.1.2.3 Trusted User Interface Enhancements ............................................................................... 8 4.1.3 Fixed Issues ............................................................................................................... 8 4.2 <t-base-300 .................................................................................................................... 9 4.2.1 New Core Features .................................................................................................... 9 4.2.2 New Integration Features ..........................................................................................10 4.2.3 Fixed Issues ..............................................................................................................10 4.3 <t-base-202 ...................................................................................................................15 4.3.1 New Core Features ...................................................................................................15 4.3.2 New Integration Features ..........................................................................................15 4.3.3 Fixed Issues ..............................................................................................................15 4.4 <t-base-201 ...................................................................................................................17 4.4.1 New Core Features ...................................................................................................17 4.4.2 Fixed Issues ..............................................................................................................17 2 <t-base Release Notes CONFIDENTIAL 3 <t-base Release Notes CONFIDENTIAL 1 I NTRODUCTION This document is the Release Notes for the <t-base product on Qualcomm 8916 platform, LA2.0 SW branch. The version of the product is <t-base-301b-32MB-QC-8916-AndroidL-v001. This version is an early access version. It passed only a limited set of tests. 2 V ALIDATION CONDITIONS The total amount of memory allocated to <t-base on any Qualcomm platform is customizable by customers at integration step. This release has been validated granting 1 MB of secure memory to <t-base. 4 <t-base Release Notes CONFIDENTIAL 3 N W ORMAL ORLD SOURCES The Normal world sources corresponding to this product can be found at the following locations: Kernel: https://code.google.com/p/tee-mobicore- driver/source/detail?r=98f5203131537b5103a50a669f56352dd2c0823f&name=MC12&repo=ker nel Daemon/RootPa: https://code.google.com/p/tee-mobicore- driver/source/detail?r=b0a9adbbe76c60f90bac088365e89a50609cd46a&name=MC12&repo=da emon 4 What’s new in <t-base 4.1 <<T-BASE-301B-32MB-QC-8916-ANDROIDL-V001 4.1.1 New <t-base Core Features <t-base-301 introduces some new functionality and APIs. The new <t-base API level for <t-base-301 is 4. Therefore to use these new features, TBASE_API_LEVEL shall be set to a value equal or greater to ‘4’. The following new features and improvements are listed hereafter. 4.1.1.1 Cryptographic Functionality Update <t-base now supports: ‹ RSA key size support increase from 2048 to 4096 bits ‹ DSA algorithm with support of DSA key sizes from 512 to 3072 bits ‹ ECDSA with NIST P-192, P-224, P-256, P-384 and P-521 curves 5 <t-base Release Notes CONFIDENTIAL Updated cryptographic parameters in the <t-base API specifications have been added. ‹ New key pair type TLAPI_DSA added to tlApiKeyPairType_t ‹ New key pair type TLAPI_ECDSA added to tlApiKeyPairType_t ‹ New DSA key data structure tlApiDsaKey_t added. ‹ tlApiDsaKey_t contains DSA parameters p, q, g (generator) as well as public key y and private key x. ‹ New ECDSA key data structure tlApiEcdsaKey_t added. ‹ tlApiEcdsaKey_t contains curve type (can be NIST P-192, P-224, P-256, P-384 and P- 521), public key data x and y as well as private key ‹ tlApiKey_t structure has been updated to have pointers to tlApiDsaKey_t and tlApiEcdsaKey_t structures. ‹ New signature algorithms TLAPI_SIG_DSA_RAW and TLAPI_SIG_ECDSA_RAW added to tlApiSigAlg_t. They provide both DSA and ECDSA signature operations based on raw data (i.e. the crypto driver does NOT calculate digest but instead uses plain raw data) While using ECDSA, the key size has to be as below: ‹ P-192: 24 bytes ‹ P-224: 28 bytes ‹ P-256: 32 bytes ‹ P-384: 48 bytes ‹ P-521: 66 bytes (if using 65 bytes key, it needs to have a leading '0' byte as padding) Testing of the functionality is performed via the Android 4.4 KitKat keymaster as described below. 4.1.1.2 Android 4.4 Kitkat Keymaster The <t-base software package now includes support for Android 4.4 keymaster with its implementation strengthen by ARM TrustZone® through a Trusted Application (TA) in the Secure World and a shared library in the Normal World. It is up to the <t-base integrator to include this TA and shared library in the device software image. This keymaster feature is optional to be integrated in a <t-base integration. The <t-base software package for KitKat Keymaster includes: ‹ a shared library: libMcTeeKeymaster.so ‹ a Trusted Application: 07060…0.tlbin The implementation supports the following algorithms: 6 <t-base Release Notes CONFIDENTIAL ‹ RSA with key size up to 4096 bits ‹ DSA algorithm with support of DSA key sizes from 512 to 3072bits ECDSA with NIST P- 192, P-224, P-256, P-384 and P-521 curves. Further documentation is described in the <t-base integration guide. 4.1.1.3 Endorsement When the authentication token is removed by the RootPA, a backup copy is used by the daemon for the endorsement. 4.1.1.4 Trusted User Interface Enhancements The Trusted User Interface core module supports PNG images with alpha channel. 4.1.2 New Integration Features 4.1.2.1 Support of ARMv8 Application Processors <t-base is compatible with the new ARMv8 architecture and now supports Cortex-A53 and Cortex-A57-based application processors. <t-base running on ARMV8-based chipsets has been designed to execute in conjunction with the ARM Trusted Firmware (https://github.com/ARM- software/arm-trusted-firmware). The ATF Secure Dispatcher can be found in the product package under the “ATF” directory. Even if the ATF running at EL3 is using the AArch64 instruction set, the Trusted Applications and drivers are executed with the AArch32 instruction set which means backward compatibility is retained for existing binaries. This product version supports normal world components in 32-bits and 64 bits mode. NOTE: ARM V8 support does not have any impact on existing <t-base APIs. Testing of the functionality is provided by the correct execution of <t-base test suite on ARMV8- based chipsets. 4.1.2.2 Memory Extension for Secure Drivers The virtual space accessible to Secure Drivers has been increased to 30MB. Drivers can map large sections of memory from D9 (0x800000) to D30. Testing of the functionality is provided by the correct execution of drivers using this functionality. 7 <t-base Release Notes CONFIDENTIAL 4.1.2.3 Trusted User Interface Enhancements ‹ The TUI Normal-World Driver is split into generic and platform dependent parts. ‹ All physical addresses are always using 64-bit integers to support large physical addresses. 4.1.3 Fixed Issues Trusted User Interface ‹ TBUG-125 Possible stack overflow due to recursive function Power Management ‹ TBUG-130 fcHandler_SWAP_CPU potential corruption of its stack ‹ TBUG-158 missing DMB barrier instruction after setting a new value of the currentCore Crypto ‹ TD-267 GP Crypto API PSS sign and verify support non-empty salt ‹ TBUG-172 Potential for function endorse() to overwrite its own memory ‹ TBUG-229 tlApiMessageDigestInitWithData correctly parses the Data parameter Daemon ‹ TBUG-177 RECV_PAYLOAD_FROM_CLIENT() and Connection::readData fixed error handling issue. Linux Driver ‹ TBUG-233 overflow of the counter used for handles was not properly managed 8 <t-base Release Notes CONFIDENTIAL 4.2 <T-BASE-300 4.2.1 New Core Features <t-base-300 introduces the following new features and improvements: Trusted User Interface (TUI) The <t-base Internal API supports a new API for the Trusted User Interface. The TUI API allows Trusted Applications to retrieve securely inputs from the end-user and to securely displays data to the device display. This API is available to both Legacy and GlobalPlatform Trusted Applications <t-base comes with a new unified Secure Driver template for the Trusted User Interface to ease the porting of the TUI on the silicon platform. <t-play DRM API The <t-base Internal API supports a new DRM API for processing DRM content. This API allows Trusted Applications to decrypt and play media content through the secure media components of the platform. This API is available to both Legacy and GlobalPlatform Trusted Applications <t-base comes with a new unified Secure Driver template for DRM to ease the porting on the silicon platform. GlobalPlatform API <t-base-300 supports GlobalPlatform APIs including: ‹ GlobalPlatform Client API ‹ GlobalPlatform Cryptographic API ‹ GlobalPlatform Trusted Storage API ‹ GlobalPlatform Memory Management API The list of functions which are supported is indicated in “t-base – API Documentation”. Memory Management Trusted Applications can declare and use a heap for dynamic memory management. Increased number of Trusted Applications and Secure Drivers Subject to memory availability, up to 19 Trusted Applications and 10 Secure Drivers can be loaded simultaneously. 9